Encrypted - but fully executable - program code now possible

"When you look at [the code], you would have no idea what it's doing" - UCLA lead researcher Professor Amit Sahai

Encrypted - but fully executable - program code now possible

A team of researchers with the University of California in Los Angeles (UCLA) have developed an encoding technology that effectively hides executable program code in plain sight, and without requiring the code to be decrypted before it is run.

Preliminary details of the peer-reviewed technique, developed by UCLA Computer Science Professor Amit Sahai and his team of researchers, were announced at a conference late last year, but now Sahai has published a paper detailing the methodology used.

The idea behind the obfuscation technology is that the encrypted software can be executed, but not reverse-engineered.

For the research, Sahai, who specialises in cryptography at UCLA's Henry Samueli School of Engineering and Applied Science, collaborated with IBM Research's Sanjam Garg, Craig Gentry, Shai Halevi and Mariana Raykova as well as Brent Waters, an assistant professor of computer science at the University of Texas at Austin.

According to Sahai, previous code obfuscation techniques forced an attacker to spend several days trying to reverse-engineer the software. He claims that the new system makes it impossible to reverse-engineer the software without solving complex mathematical problems that would take hundreds of years to work through, even on modern PCs.

"You write your software in a nice, reasonable, human-understandable way and then feed that software to our system," he says. "It will output this mathematically transformed piece of software that would be equivalent in functionality, but when you look at it, you would have no idea what it's doing."

The key to the encoding is functional encryption. Sahai says that, instead of sending an encrypted message, an encrypted function is sent in its place, creating a much more secure way to protect the underlying data.

Sahai claims that a single message could be sent to a group of people so that each receiver would obtain different information, depending on characteristics of that particular receiver.

Visiting Professor John Walker, of Nottingham Trent University and CTO of Xssurance, is enthusiastic about the program encoding technology, noting that the system could be an excellent way of delivering security in a cloud computing environment.

This could, he told SCMagazineUK.com, be the first successful security methodology to use an approach to segregating - and compartmentalising - partial data objects, and only granting access of the complete picture to the authorised person or process.

"I believe we are seeing [here] the future of what cyber security looks like - and a methodology which will drive security to a much safer place," he said.

Clearswift senior VP of products Guy Bunker however warned that even if the encoding system would be useful for preventing reverse engineering of program code in near future, it could also make malware disassembly just as difficult once cybercriminals get their hands on the technology.

Bunker, a security industry veteran and co-author of the 2009 book `Data Leaks For Dummies', also warned that the encoding mechanism would eventually be beaten, especially if it is widely adopted.

He says that it is interesting to draw parallels with polymorphic viruses and malware, which change their code on a rotating basis.

"Having said that, code obfuscation is an interesting approach to keeping the way a program executes hidden," he said, adding that the more widely such a system is used means the faster it is likely to be eventually cracked.

You have to remember, he explained, that there is no silver bullet in security matters, even in encryption.

Professor Peter Sommer, a Visiting Professor at de Montfort University, said he remains to be convinced that the encoding process will be truly useful to security practitioners.

"What is the real-world problem this solution is meant to address? There is currently no problem in rendering files as impenetrable - but it does require significant management discipline among those using - and sharing - the file, as well as the careful deployment of one of the obvious existing tough encryption systems such as AES, Twofish or Cascades," he said.

"And you must never forget that the management interface must be usable by those with the real secrets to hide, not just computer geeks," he added.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.